SSL VPN Not Working Post ATP200/800 Firmware Upgrade

NEP

Can we turn on some other logging? At the moment the system log shows nothing. It doesn't even indicate an attempted connection.

In my mind at least, the issue is definitely caused by something in the firmware update. Under Firmware Management we have "V5.31(ABFW.0)ITS-22WK31-r104914" loaded in 1 (Running). The SSL VPN does not work. If we click on "V5.30(ABFW.0)" in 2 (Standby) and click Reboot. After the reboot, the SSL VPN "magically" works. No changes whatsoever. In that short time, the Public IP on the client side wouldn't have changed, which means the IP isn't being blocked.

NEP

We've done some more testing and the SSL VPN is working for some users. Well, one user but they have tested it at multiple locations (all Comcast supplied). Waiting for a couple more users to get back to me. Anyway, those who are affected (ie. can't use the VPN) are using Verizon's services. That is what I have and I've tried both my home internet and cellular hotspot. Neither work. Is it possible that some of the SSL VPN changes you mentioned prior (specifically MTU) could be unsupported by Verizon?

Another user got back to me. They are have Blue Ridge Communications as the ISP and it does not work for them. In case it matters, we as a company are US East Coast based and Comcast is the ISP at our three sites.

NEP

So much for the Verizon theory, just had two more users confirm that they can't connect to the VPN. Both are using Comcast. One of them also confirmed that they can log into the login page, so they know their password and the SSL VPN connection info is good.

User (MAC=-) from http/https has logged out Device

User (MAC=-) from http/https has logged in Device

Zyxel_Jeff

Hi @NEP

After our discussion, currently, you decide to roll back to 5.30 firmware to keep the SSL VPN service stable. If you still need assistance in the future, please let us know. Thanks.

NEP

That is correct, we rolled back to v5.30 because we have users that need to use the VPN. Please do not take our rolling back as a solution. It certainly is not, as it will most likely happen again with the next firmware that is released (barring any changes). Something is not correct with the newer firmware, however, at this time we can no longer help with finding out what that is.

mMontana

Following, I don't want to stumble upon this issue in future.

NEP

Hello. Just installed v5.32 and we are still having the same issue. The SSL VPN won't connect. Same log errors as before. 5.30 works fine, 5.31 and 5.32 do not. I saw in the changelog that there was a MAC OS issue with SSL VPN and ports not being identical. Maybe we have something similar. In any case, I have left 5.32 running and will send @Zyxel_Jeff "limited_admin" credentials for our ATP. Hopefully this issue can be found and corrected. Thanks!

Zyxel_Jeff

Hello @NEP

We can access ATP800 remote Web-GUI now, could you add zyxel support user account to vpn_group user group for us? We would like to establish SSL VPN connection to the ATP800 for troubleshooting purposes. I already sent a private message to you. Thanks  . 

Zyxel_Jeff

Hi @NEP

We noticed the that root cause might be the limited-admin account. Using the limited-admin account cannot establish SSL VPN but if using a normal user account then can establish SSL VPN to your ATP800, as below:




We confirm it's our current design.
So, please use a user privilege account to establish SSL VPN connection with your ATP800.

Besides, sometimes customers would make the mistake to use add an extra https into the SSL VPN server URL by accident or the wrong port number. That would lead to SSL VPN connection cannot be established as well.

NEP

Using a limited-admin user is definitely not the solution. If you look under User/Group you'll notice that we have two admins and the rest are simply users. The limited-admin was created special for you guys to access the portal. Also, we don't use the admin users to connect with the VPN. That was disabled when you guys rolled out v5.00 I believe.

That said, based on your screenshot, I was able to get connected. The issue being that I was using 9999 instead of 9998. However, this is not a solution either because prior to the upgrade to v5.31 and v5.32, port 9999 connected as expected. Why is it now broken with these updates? Is it not standard practice to use the same port? This is how the outside networking firm originally hooked it up.

Again, this would seem related to "[Bug Fix] eITS#220701020 - SSL VPN client for macOS is not connected if HTTPS port and SSL VPN server port are not identical."